Spacer
scald

Laptop LDAP

Fedora Nano
appliance-config
Mac Software
More projects...
Articles...
SRPM...
Patches...
The Oakbud Co.
Home...

LDAP for Mobile Laptops

Introduction

Do you use LDAP and Kerberos on your Linux laptop? Do you wish your laptop worked when away from your LDAP and Kerberos servers?

This is an effort to document the settings and work necessary to allow a laptop to use LDAP and Kerberos for network information and authentication without sacrificing mobility.

Settings

/etc/nsswitch.conf

The Name Service Switch configuration file should contain both file and LDAP lookups. 

passwd: files ldap
shadow: files
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

/etc/pam.d/system-auth

In addition to the Kerberos PAM modules, pam_ccreds is used to cache authentication tokens locally. This allows a laptop to authenticate a user when the Kerberos server is not available. The pam_ccreds module had to be modified so that non-root applications could authenticate. See Red Hat Bugzilla #151914. 

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so
 ## Ignore unavailable; allow pam_ccreds to try.
 ## 1 = skip one module down, 2 = skip two modules down.
auth [authinfo_unavail=ignore success=1 default=2] /lib/security/$ISA/pam_krb5.so use_first_pass
 ## Patched pam_ccreds to allow xscreensaver (non-root) to validate.
 ## Validate vs. cached creds. if avail.
auth [default=done] /lib/security/$ISA/pam_ccreds.so action=validate use_first_pass
 ## Patched pam_ccreds to allow xscreensaver (non-root) to store/update.
 ## Store (cache) valid credentials locally.
auth [default=done] /lib/security/$ISA/pam_ccreds.so action=store
 ## Delete credentials.
auth [default=done] /lib/security/$ISA/pam_ccreds.so action=update
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [authinfo_unavail=ignore default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so

/etc/nscd.conf

The nscd caches network information. Normally used to reduce the number of LDAP queries to boost performance, nscd may be configured to cache for long periods. This allows nscd to provide network information when the laptop cannot contact the LDAP server. The reload-count, positive-time-to-live and persistent options may be increased so that nscd caches for extended periods of time. 

server-user nscd
debug-level 0
reload-count unlimited
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 2592000
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
enable-cache group yes
positive-time-to-live group 2592000
negative-time-to-live group 20
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
enable-cache hosts yes
positive-time-to-live hosts 2592000
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes

/etc/ldap.conf

The bind_policy soft option forbids nss_ldap from retrying failed LDAP queries. If the default bind policy is used, LDAP will retry a query several times when the LDAP server is not present. This can cause a pause of several seconds during routine operations. 

bind_policy soft
base dc=flyn,dc=org
uri ldaps://golem.flyn.org/   
timelimit 5
bind_timelimit 5
ssl start_tls
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password md5

/etc/krb5.conf

The kdc_timeout and max_retries options reduce the time the laptop waits on a connection to the Kerberos server. Setting the value of these parameters low allows the laptop to give up on Kerberos requests quickly and fall back on cached authentication. 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = flyn.org
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
[realms]
 flyn.org = {
  kdc = golem.flyn.org:88
  admin_server = golem.flyn.org:749
  default_domain = flyn.org
 }
[domain_realm]
 .flyn.org = flyn.org
 flyn.org = flyn.org
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   kdc_timeout = 1
   max_retries = 1
 }

Issues

  1. The nscd system does not support disconnected operation correctly (See glibc Bugzilla bug #2132)
  2. The pam_ccreds module is not fully integrated into Fedora (See Red Hat Bugzilla bug #145044)
  3. The pam_ccreds module does not yet fully integrate with SELinux (See Red Hat Bugzilla bug #154133)